You are on page 1of 6

Computer Forensics Fundamentals

 Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence.  Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination.  Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.

Computer forensics assists in Law Enforcement. This can include:

 Recovering deleted files such as documents, graphics, and photos.  Searching unallocated space on the hard drive, places where an abundance of data often resides.  Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value of the information they find.  Processing hidden files — files that are not visible or accessible to the user — that contain past usage information. Often, this process requires reconstructing and analyzing the date codes for each file and determining when each file was created, last modified, last accessed and when deleted.  Running a string-search for e-mail, when no e-mail client is obvious.

Computers can contain evidence in many types of human resources proceedings, including sexual harassment suits, allegations of discrimination, and wrongful termination claims. Evidence can be found in electronic mail systems, on network servers, and on individual employee’s computers.




An unfortunate concern today is the possibility that data could be damaged. In this way. Before an individual is informed of their termination. should the employee choose to do anything to that data before leaving. destroyed. or misappropriated by a discontented individual. This includes situations where files have been deleted. Damaged or deleted data can be re-placed. For example.EMPLOYER SAFEGUARD PROGRAM Employers must safeguard critical business information. You should be equipped to find and interpret the clues that have been left behind. the employer is protected. and evidence can be recovered to show what occurred. disks have been reformatted. or other steps have been taken to conceal or destroy the evidence. a computer forensic specialist should come on-site and create an exact duplicate of the data on the individual’s computer. on computers? COMPUTER FORENSICS UNIT I – PART I 2 . This method can also be used to bolster an employer’s case by showing the removal of proprietary information or to protect the employer from false charges made by the employee. including investments. did you know?  What Web sites have been visited?  What files have been downloaded?  When files were last accessed?  Of attempts to conceal or destroy evidence?  Of attempts to fabricate evidence?  That the electronic copy of a document can contain text that was removed from the final printed version?  That some fax machines can contain exact duplicates of the last several hundred pages received?  That faxes sent or received via computer may remain on the computer indefinitely?  That email is rapidly becoming the communications medium of choice for businesses?  That people tend to write things in email that they would never consider writing in a memorandum or letter?  That email has been used successfully in criminal cases as well as in civil litigation?  That email is often backed up on tapes that are generally kept for months or years?  That many people keep their financial records.

your computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence.  The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved.COMPUTER FORENSICS SERVICES ***** Computer forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your case.  When experts works on the duplicate data. DATA SEIZURE  Following federal guidelines. they should be able to perform the following services: 1. 4.000 electronic documents in seconds rather than hours.  The experts should also be able to assist officials during the equipment seizure process.  The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. COMPUTER FORENSICS UNIT I – PART I 3 . DOCUMENT SEARCHES  Computer forensics experts should also be able to search over 200. 3. 2. DATA RECOVERY  Using proprietary tools. computer forensics experts should act as the representative. For example. two concerns must be addressed: o o the data must not be altered in any way the seizure must not put an undue burden on the responding party  The computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. the integrity of the original is maintained. using their knowledge of data storage technologies to track down evidence. DATA DUPLICATION/PRESERVATION  When one party must seize data from another.

M.  On-site service: Computer forensics experts should be able to travel to your location to per-form complete computer evidence services. While on-site. Priority service typically cuts your turnaround time in half. Monday through Friday) until the evidence is found. MEDIA CONVERSION  Computer forensics experts should extract the relevant data from old and un-readable devices.5. the experts should quickly be able to produce exact duplicates of the data storage media in question.M. 6.M. Saturday and Sunday. they should be able to offer the following services:  Standard service: Computer forensics experts should be able to work on your case during nor-mal business hours until your critical electronic evidence is found. and how it is relevant to a specific situation. COMPUTER EVIDENCE SERVICE OPTIONS Computer forensics experts should offer various levels of service. to 5:00 P.  This should help judges and juries comprehend how computer evidence is found. EXPERT WITNESS SERVICES  Computer forensics experts should be able to explain complex technical processes in an easy-tounderstand fashion. 7.  Priority service: Dedicated computer forensics experts should be able to work on your case during normal business hours (8:00 A. what it consists of. and place it onto new storage media for analysis. to locate the needed electronic evidence and will continue 14 Computer Forensics.. Second Edition working on your case until your evidence objectives are met.M..  Weekend service: Computer forensics experts should be able to work from 8:00 A. COMPUTER FORENSICS UNIT I – PART I 4 . each designed to suit your individual investigative needs.  Emergency service: Your computer forensics experts should be able to give your case the highest priority in their laboratories. For example. They should be able to work on it without interruption until your evidence objectives are met. to 5:00 P. convert it into readable formats.

A continuing chain of custody is established and maintained.8. Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged. 6. Extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage. These services include:  Analysis of computers and data in criminal investigations  On-site seizure of computer data in criminal investigations  Analysis of computers and data in civil litigation. 3. OTHER MISCELLANEOUS SERVICES Computer forensics experts should also be able to provide extended services. No possible evidence is damaged. destroyed. 4.  On-site seizure of computer data in civil litigation  Analysis of company computers to determine employee activity  Assistance in preparing electronic discovery requests  Reporting in a comprehensive and readily understandable manner  Court-recognized computer expert witness testimony  Computer forensics on both PC and Mac platforms  Fast turnaround time BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY **** A knowledgeable computer forensics professional should ensure that a subject computer system is carefully handled to ensure that: 1. if at all. 2. COMPUTER FORENSICS UNIT I – PART I 5 . 5. Business operations are affected for a limited amount of time. or otherwise compromised by the procedures used to investigate the computer. No possible computer virus is introduced to a subject computer during the analysis process.

that is unused by current file data. and anything else that has been discovered and appears to be relevant to the overall computer system examination. the following steps should be taken: 1. Provide expert consultation and/or testimony. and encrypt information. or virus introduction. the file structures discovered. Protect the subject computer system during the forensic examination from any possible alteration. Print out an overall analysis of the subject computer system. password-protected files. delete. Provide an opinion of the system layout. protect. JOHN VACCA COMPUTER FORENSICS UNIT I – PART I 6 Send your feedback to kranthi@kranthi. as well as slack space in a file (the remnant area at the end of a file in the last assigned disk cluster.STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS ***** The computer forensics specialist should take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject’s computer system. 8. and encrypted files. as well as a listing of all possibly relevant files and discovered file data. damage. any discovered data and authorship information. as required. 7. hidden files. For example. 9. may be a possible site for previously created and relevant evidence). Source: COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION. This includes existing normal files. Discover all files on the subject system. Analyze all possibly relevant data found in special areas of a disk. Recover all of discovered deleted files. Access the contents of protected or encrypted files. any attempts to hide. Reveal the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system. but once again. 3. 5. 2. deleted yet remaining files. This includes but is not limited to what is called unallocated space on a . data corruption. 4.